There are lots of ways for exploiting Fuku, a machine which is not so easy to compromise – at least not for the patienceless, as it has some interesting defense mechanisms – some of them you will discover below, some of them I’ll let you discover 🙂

Today, I’ll show you my way.

First of all, a scan to discover all opened ports is needed…so I used nmap.

nmap -A -SV -v -p- 172.16.100.61

It seems that all ports are opened.

Trying with netcat on some random ports reveal that the messages returned are very similar on each of them, only the reported version of Apache varies a little:

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

&nbsp;[root:~]# telnet 172.16.100.61 20

Trying172.16.100.61...

Connected to172.16.100.61.

Escape character is'^]'.

HTTP/1.0200OK

Server:Apache/2.4.6(Ubuntu)

FUKU!

[root:~]# telnet 172.16.100.61 245

Trying172.16.100.61...

Connected to172.16.100.61.

Escape character is'^]'.

HTTP/1.0200OK

Server:Apache/2.4.8(Ubuntu)

FUKU!

It is clear that this machine is configured to mislead and make an attacker’s life harder when trying to discover running network services.

While nmap seems useless, it is time to use other alternatives.

Thinking that there are good chances the vulnerable machine could run some web application, I had fired-up wfuzz, and the only “unusual” part this time is that we will not fuzz directories and files, but ports instead:

After some time of waiting we got our port: 13370

Another tool for port scanning is amap, known as the first tool to perform application protocol detection. While superseded by nmap with years, as the amap’s authors mention “ in some circumstances amap will yield better results, but these are rare”, I gave it a chance:

amap -b1q 172.16.100.61 1-65535 | grep -v FUKU

Amap proved to be very useful and helped me identify the open ports where nmap and other scanners failed.

On the host the port 13370 is running an web application which is easily identified as Joomla CMS.

One thing to be noted also is that in robots.txt, a file cought my attention – flag.txt with the following contents:

After a quick look-over we can see that the web application is using a plugin for playing media content, HD FLV player which has known vulnerabilities described in: